Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-09 Thread Vince Hoffman
On Sat, 9 Apr 2005, John Mok wrote: To my understanding, the mechanism of how NAT works is that, the client connections from the intranet are mapped to separate ports on the NAT with one single IP address by means of a mapping table, such that the reply packet from the outside to the NAT could

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-09 Thread John Mok
To my understanding, the mechanism of how NAT works is that, the client connections from the intranet are mapped to separate ports on the NAT with one single IP address by means of a mapping table, such that the reply packet from the outside to the NAT could be reversely mapped to the respectiv

RE: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-09 Thread Vince
I do this with the cisco VPN client (to PIX), I am firewalling with pf. Client --- FreeBSD firewall+NAT using pf --- internet - PIX The only problem I had was that isakmp needs to come from port 500 as well as go to port 500 so I needed to add a rule To stop pf changing the source port. My na

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-07 Thread John Mok
The problem is that some visitors might need to connect to the home VPN gateway(s) from my work office. Thus, we could not decide which VPN gateway solution they use. On the other hand, what is the status of FreeBSD on the support of NAT-T? Would it be supported in FreeBSD in later issues, e.g.

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-07 Thread Tom Skeren
John Mok wrote: Dear Tom, Thank you for your quick reply. I would like to know more on the issue. To my understanding, since the source address of the IP packet from the client would be modified on the NAT, normally it would fail AH check on the IPsec VPN gateway, or the FreeBSD NAT has built-in

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-07 Thread Bjoern A. Zeeb
On Fri, 8 Apr 2005, John Mok wrote: Hi, > Thank you for your quick reply. > > I would like to know more on the issue. To my understanding, since the > source address of the IP packet from the client would be modified on the > NAT, normally it would fail AH check on the IPsec VPN gateway, or the >

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-07 Thread John Mok
Dear Tom, Thank you for your quick reply. I would like to know more on the issue. To my understanding, since the source address of the IP packet from the client would be modified on the NAT, normally it would fail AH check on the IPsec VPN gateway, or the FreeBSD NAT has built-in compliance with

Re: FreeBSD Firewall + NAT Traversal + IPsec

2005-04-07 Thread Tom Skeren
John Mok wrote: Hi, I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT, such that client PC(s) from the NATed internal network could connect to a VPN gateway on the Internet :- client PC - FreeBSD Firewall + NAT Internet IPsec VPN gateway 192.168.x.x/16